Full Report
An attacker running a live Microsoft 365 phishing operation left a Python web server listening on a public port with directory listing switched on. The command that did it: python3 -m http.server 8080, was still sitting in the readable .bash_history. From that one lapse, French security firm Lexfo lifted the operator's entire toolkit and pivoted through it to two more
Analysis Summary
# Incident Report: Exposure of Triple Evilginx Phishing Operations
## Executive Summary
A misconfigured Python web server with directory listing enabled led to the discovery of three active Microsoft 365 phishing operations. Security firm Lexfo leveraged an operator's `.bash_history` lapse to identify multiple custom Evilginx forks, credential logs, and toolkit configurations. The investigation successfully deanonymized African and Middle Eastern threat actors targeting corporate entities via Adversary-in-the-Middle (AiTM) and OAuth device code flows.
## Incident Details
- **Discovery Date:** April 30, 2026
- **Incident Date:** Ongoing (One campaign active for over a year; latest campaign started April 20, 2026)
- **Affected Organization:** Multiple (including French and North American corporate entities)
- **Sector:** Cross-industry (Corporate M365 users)
- **Geography:** Infrastructure hosted in Budapest, Hungary; Operators located in Egypt and Nigeria.
## Timeline of Events
### Initial Access
- **Date/Time:** April 20, 2026 (Launch of "codemado" campaign)
- **Vector:** Phishing via custom Evilginx Adversary-in-the-Middle (AiTM) proxies.
- **Details:** Use of "MaDoO Blaster" bulk mailer to distribute lures targeting M365 credentials and session tokens.
### Lateral Movement
- **Details:** Once session tokens were captured, attackers utilized them to gain unauthorized access to corporate mailboxes. In the "black-queen" variant, attackers abused the Microsoft OAuth device code flow to gain persistent access without ever touching a password.
### Data Exfiltration/Impact
- **Details:** Theft of session cookies with extended TTLs (up to one year). Attackers maintained access by refreshing tokens as they aged, allowing continued "live" access to corporate communications and internal data.
### Detection & Response
- **How it was discovered:** Routine internet scan identified an open directory on a public port (8080) at IP `185.163.204[.]7`.
- **Response actions:** Lexfo conducted a "pivot" analysis of the exposed `.bash_history` and GitHub repositories to track the operators and their toolkits.
## Attack Methodology
- **Initial Access:** Phishing via Proxy-based AiTM (Evilginx) and OAuth Device Code lures.
- **Persistence:** High TTL (1 year) on session cookies; use of RMM (SimpleHelp) installers.
- **Privilege Escalation:** Not specified, but session hijacking provided full user-level access.
- **Defense Evasion:** Renaming HTML attributes (`crossorigin`/`integrity`) to bypass SRI; URL-rewriting to dodge path-based detection.
- **Credential Access:** Harvesting M365 session cookies and login credentials.
- **Discovery:** Comparison of different phishing kits side-by-side on the attack server.
- **Lateral Movement:** Utilizing captured tokens to access M365 environments.
- **Collection:** Automated logging of captured cookies and credentials via Telegram bots.
- **Exfiltration:** Automated exfiltration of session data to attacker-controlled servers/Telegram.
- **Impact:** Unauthorized access to sensitive corporate mailboxes and potential business email compromise (BEC).
## Impact Assessment
- **Financial:** Undisclosed, but typical of high-level BEC and credential theft.
- **Data Breach:** Corporate M365 credentials, session tokens, and internal email access for numerous organizations.
- **Operational:** Potential for unauthorized business transactions and data theft.
- **Reputational:** High risk for affected organizations due to potential for long-term, undetected access.
## Indicators of Compromise
- **Network:**
- `185.163.204[.]7` (Attack Infrastructure)
- `picis[.]net` (Phishing Platform)
- **File:**
- `evilginx2.exe` (Pre-compiled malicious binary)
- `MaDoO Blaster` (Bulk mailing tool)
- **Behavioral:**
- `python3 -m http.server 8080` (Running on public-facing internet)
- Repeated logins from disparate IPs using the same session token (token refreshing).
## Response Actions
- **Containment:** Pivot analysis identified the scope of the three operations.
- **Eradication:** Identification of the operator "codemado" and association with known hacking forums.
- **Recovery:** Report released to inform organizations to implement specific M365 defenses.
## Lessons Learned
- **Operator Error:** Even sophisticated attackers can be compromised by simple operational security (OPSEC) failures, such as leaving a web server open with directory listing enabled.
- **MFA Limitations:** Standard MFA is insufficient against AiTM and Device Code Flow attacks; attackers can "outlast" password resets if session cookies have long TTLs.
## Recommendations
- **Implement CAE:** Use Continuous Access Evaluation (CAE) within Microsoft 365 to revoke tokens immediately upon security events.
- **Conditional Access:** Enforce "Phishing-Resistant MFA" (FIDO2/WebAuthn) to prevent AiTM proxies from intercepting codes.
- **Disable Unused Flows:** Disable the OAuth Device Code Flow if it is not required for the organization's hardware.
- **Monitor Session TTL:** Audit and reduce session cookie lifetimes to prevent long-term persistence.